Microsoft Edge 109 addresses a total of 14 security vulnerabilities. Out of the 14, 2 are Edge-specific, while 12 are for Chromium-based web browsers. These are discussed in detail down below. Also, as a reminder, Microsoft Edge version 109 will be the last supported Edge version on Windows 7, 8, and 8.1, as announced earlier. From Edge 110 and onwards, Edge will no longer be supported on the aforementioned operating systems. This makes it all the more important to upgrade to Edge version 109 at the earliest using the given guide below. Additionally, Microsoft has also made minor changes to the Security Baseline for Edge v107 and released it. To increase your security, you may also download Microsoft Edge Security Baseline for version 109 from below.
Edge 109 Release Summary
Complete Release Build: 109.0.1518.52Release Date: Thursday, January 12th, 2023Compatibility: Windows 11, 10, 8, 8.1, 7 (32-bit and 64-bit), Mac, Linux, iOS, and Android.Previous Build: Edge 108Bug Fixes: 14. More information about security fixes can be found here.
New in Microsoft Edge 109
In Edge 109, 14 security vulnerabilities have been addressed. Moreover, it also includes 8 new policies, 3 new features, and 2 policies that have become obsolete.
New Features
Account Linking between a personal Microsoft account (MSA) and Azure Active Directory (AAD) account.Users can now link their personal Microsoft account (MSA) to their Azure Active Directory (AAD) account through their place of employment or educational institution.Once connected, users who are logged in with their work or school account can earn Microsoft Rewards points for using Microsoft Bing or Windows search box.Tenant admins can also manage this functionality by utilizing the “LinkedAccountEnabled” policy or the Message Center component of the Microsoft 365 Admin Center.Changes to TLS server certificate verification.The certificate trust list and the certificate verifier will be separated from the root store of the host operating system in Microsoft Edge version 110. Instead, the browser will offer and ship with the default certificate trust list and the certificate validator.To manage when the integrated root store and certificate verifier are utilized, the “MicrosoftRootStoreEnabled” policy is now available for testing.The policy will no longer be supported in Microsoft Edge version 111.Text prediction.Microsoft Edge now offers word and sentence predictions on websites to assist you in writing quickly and accurately. Using the “TextPredictionEnabled” policy, administrators can limit the use of text predictions.This is currently only available in the US, India, and Australia in the English language only.
New Policies
The following list of policies has been introduced with Edge 109: Users can now link their personal Microsoft account (MSA) to their Azure Active Directory (AAD) account through their place of employment or educational institution. Once connected, users who are logged in with their work or school account can earn Microsoft Rewards points for using Microsoft Bing or Windows search box. Tenant admins can also manage this functionality by utilizing the “LinkedAccountEnabled” policy or the Message Center component of the Microsoft 365 Admin Center. The certificate trust list and the certificate verifier will be separated from the root store of the host operating system in Microsoft Edge version 110. Instead, the browser will offer and ship with the default certificate trust list and the certificate validator. To manage when the integrated root store and certificate verifier are utilized, the “MicrosoftRootStoreEnabled” policy is now available for testing. The policy will no longer be supported in Microsoft Edge version 111. Microsoft Edge now offers word and sentence predictions on websites to assist you in writing quickly and accurately. Using the “TextPredictionEnabled” policy, administrators can limit the use of text predictions. This is currently only available in the US, India, and Australia in the English language only.
WebHidAllowAllDevicesForUrlsDescription: This setting allows you to list sites that are automatically granted permission to access all available devices.The URLs must be valid or the policy is ignored. Only the origin (scheme, host, and port) of the URL is evaluated.This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls, and the user’s preferences.Location:Administrative Templates/Microsoft Edge/Content settingsWebHidAllowDevicesForUrlsDescription: This setting lets you list the URLs that specify which sites are automatically granted permission to access an HID device with the given vendor and product IDs.Setting the policy Each item in the list requires both devices and URL fields for the item to be valid. Otherwise, the item is ignored.Each item in the devices field must have a vendor_id and may have a product_id field.Omitting the product_id field will create a policy matching any device with the specified vendor ID.An item that has a product_id field without a vendor_id field is invalid and is ignored.If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.Location:Administrative Templates/Microsoft Edge/Content settingsWebHidAllowDevicesWithHidUsagesForUrlsDescription: This setting allows you to list the URLs that specify which sites are automatically granted permission to access an HID device containing a top-level collection with the given HID usage.Each item in the list requires both usage and URL fields for the policy to be valid.Each item in the usages field must have a usage_page and may have a usage field.Omitting the usage field will create a policy matching any device containing a top-level collection with usage from the specified usage page.An item that has a usage field without a usage_page field is invalid and is ignored.If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies.URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls.Location:Administrative Templates/Microsoft Edge/Content settingsMicrosoftRootStoreEnabledDescription: When this policy is set to enabled, Microsoft Edge will perform verification of server certificates using the built-in certificate verifier with the Microsoft Root Store as the source of public trust.When this policy is set to disabled, Microsoft Edge will use the system certificate verifier and system root certificates. When this policy is not set, the Microsoft Root Store or system-provided roots may be used.This policy will be removed in Microsoft Edge for Microsoft Windows and macOS once support for using the platform-supplied certificate verifier and roots are planned to be removed.Location:Administrative Templates/Microsoft Edge/DefaultClipboardSettingDescription: This policy controls the default value for the clipboard site permission.Setting the policy to “2” blocks sites from using the clipboard site permission.Setting the policy to “3” or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use an API.This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies.This policy only affects clipboard operations controlled by the clipboard site permission and doesn’t affect sanitized clipboard writes or trusted copy-and-paste operations.Policy options mapping:BlockClipboard (2) = Do not allow any site to use the clipboard site permissionAskClipboard (3) = Allow sites to ask the user to grant the clipboard site permissionLocation:Administrative Templates/Microsoft Edge/ClipboardAllowedForUrlsDescription: Configure the list of URL patterns that specify which sites can use the clipboard site permission.Setting the policy lets you create a list of URL patterns that specify which sites can use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.Location:Administrative Templates/Microsoft Edge/ClipboardBlockedForUrlsDescription: Configure the list of URL patterns that specify which sites can use the clipboard site permission.Setting the policy lets you create a list of URL patterns that specify sites that can’t use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission.Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies.Location:Administrative Templates/Microsoft Edge/SearchFiltersEnabledDescription: This policy lets you filter your autosuggestions by selecting a filter from the search filters ribbon. For example, if you select the “Favorites” filter, only favorites suggestions will be shown.If you enable or don’t configure this policy, the autosuggestion dropdown defaults to displaying the ribbon of available filters.If you disable this policy, the autosuggestion dropdown won’t display the ribbon of available filters.Location:Administrative Templates/Microsoft Edge/
Obsolete Policies
2 policies have become obsolete with Edge 109: Description: This setting allows you to list sites that are automatically granted permission to access all available devices. The URLs must be valid or the policy is ignored. Only the origin (scheme, host, and port) of the URL is evaluated. This policy overrides DefaultWebHidGuardSetting, WebHidAskForUrls, WebHidBlockedForUrls, and the user’s preferences. Location: Description: This setting lets you list the URLs that specify which sites are automatically granted permission to access an HID device with the given vendor and product IDs. Setting the policy Each item in the list requires both devices and URL fields for the item to be valid. Otherwise, the item is ignored.
Each item in the devices field must have a vendor_id and may have a product_id field.Omitting the product_id field will create a policy matching any device with the specified vendor ID.An item that has a product_id field without a vendor_id field is invalid and is ignored.
If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies. URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls. Location: Description: This setting allows you to list the URLs that specify which sites are automatically granted permission to access an HID device containing a top-level collection with the given HID usage. Each item in the list requires both usage and URL fields for the policy to be valid.
Each item in the usages field must have a usage_page and may have a usage field.Omitting the usage field will create a policy matching any device containing a top-level collection with usage from the specified usage page.An item that has a usage field without a usage_page field is invalid and is ignored.
If you don’t set this policy, that means DefaultWebHidGuardSetting applies, if it’s set. If not, the user’s personal setting applies. URLs in this policy shouldn’t conflict with those configured through WebHidBlockedForUrls. If they do, this policy takes precedence over WebHidBlockedForUrls. Location: Description: When this policy is set to enabled, Microsoft Edge will perform verification of server certificates using the built-in certificate verifier with the Microsoft Root Store as the source of public trust. When this policy is set to disabled, Microsoft Edge will use the system certificate verifier and system root certificates. When this policy is not set, the Microsoft Root Store or system-provided roots may be used. This policy will be removed in Microsoft Edge for Microsoft Windows and macOS once support for using the platform-supplied certificate verifier and roots are planned to be removed. Location: Description: This policy controls the default value for the clipboard site permission. Setting the policy to “2” blocks sites from using the clipboard site permission. Setting the policy to “3” or leaving it unset lets the user change the setting and decide if the clipboard APIs are available when a site wants to use an API. This policy can be overridden for specific URL patterns using the ClipboardAllowedForUrls and ClipboardBlockedForUrls policies. This policy only affects clipboard operations controlled by the clipboard site permission and doesn’t affect sanitized clipboard writes or trusted copy-and-paste operations. Policy options mapping:
BlockClipboard (2) = Do not allow any site to use the clipboard site permissionAskClipboard (3) = Allow sites to ask the user to grant the clipboard site permission
Location: Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission. Setting the policy lets you create a list of URL patterns that specify which sites can use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission. Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies. Location: Description: Configure the list of URL patterns that specify which sites can use the clipboard site permission. Setting the policy lets you create a list of URL patterns that specify sites that can’t use the clipboard site permission. This doesn’t include all clipboard operations on origins that match the patterns. For example, users will still be able to paste using keyboard shortcuts because this isn’t controlled by the clipboard site permission. Leaving the policy unset means DefaultClipboardSetting applies for all sites if it’s set. If it isn’t set, the user’s personal setting applies. Location: Description: This policy lets you filter your autosuggestions by selecting a filter from the search filters ribbon. For example, if you select the “Favorites” filter, only favorites suggestions will be shown. If you enable or don’t configure this policy, the autosuggestion dropdown defaults to displaying the ribbon of available filters. If you disable this policy, the autosuggestion dropdown won’t display the ribbon of available filters. Location:
SetTimeoutWithout1MsClampEnabledExemptDomainFileTypePairsFromFileTypeDownloadWarnings
Security Enhancements
The following 14 security vulnerabilities have been addressed in Edge 109:
Update to Edge 109
If you already have Microsoft Edge on your PC, you can simply upgrade it to the latest build using the guide given further down below. If not, use the links given in the next section to install it now. Microsoft Edge comes preinstalled in Windows 11 and 10. Learn how to uninstall Microsoft Edge. If you wish to reinstall Edge, you can go here. Once it relaunches, you can return to the About page and check that it has been updated to version 109.0.1518.52. Click on the ellipses in the top-right corner of the browser, expand Help and feedback, and then click About Microsoft Edge. Edge will now begin to scan for an update, and then download and install it if one is available. Once the download is completed, you will need to Restart the browser. If you want to download Edge 109 for offline installation, you can visit the following page which lists several methods to download and upgrade your Microsoft Edge browser. Download Microsoft Edge Browser.
Download Security Baseline for Microsoft Edge 109
Security baselines are Microsoft-recommended configuration settings that add an additional layer of security to your environment. However, Microsoft has made minor changes to Microsoft Edge v107 Security Baseline and it is still their recommended baseline for Edge 109, as noted in their announcement. This Baseline now includes 7 new computer settings and 7 new user settings. The following table contains the details of the new security settings included in Edge v107 Security Baseline:Security Setting ForDetailsLocation within Windows RegistryMachineAllow clipboard use on specific sitesHKLM\Software\Policies\Microsoft\Edge\ClipboardAllowedForUrlsMachineBlock clipboard use on specific sitesHKLM\Software\Policies\Microsoft\Edge\ClipboardBlockedForUrlsMachineDefault clipboard site permissionHKLM\Software\Policies\Microsoft\Edge!DefaultClipboardSettingMachine(Deprecated) Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificatesHKLM\Software\Policies\Microsoft\Edge!MicrosoftRootStoreEnabledMachineAllow listed sites to connect to specific HID devicesHKLM\Software\Policies\Microsoft\Edge!WebHidAllowDevicesForUrlsMachineAllow listed sites to connect to any HID deviceHKLM\Software\Policies\Microsoft\Edge\WebHidAllowAllDevicesForUrlsMachineAutomatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usageHKLM\Software\Policies\Microsoft\Edge!WebHidAllowDevicesWithHidUsagesForUrlsUserAllow clipboard use on specific sitesHKCU\Software\Policies\Microsoft\Edge\ClipboardAllowedForUrlsUserBlock clipboard use on specific sitesHKCU\Software\Policies\Microsoft\Edge\ClipboardBlockedForUrlsUserDefault clipboard site permissionHKCU\Software\Policies\Microsoft\Edge!DefaultClipboardSettingUser(Deprecated) Determines whether the Microsoft Root Store and built-in certificate verifier will be used to verify server certificatesHKCU\Software\Policies\Microsoft\Edge!MicrosoftRootStoreEnabledUserAllow listed sites to connect to specific HID devicesHKCU\Software\Policies\Microsoft\Edge!WebHidAllowDevicesForUrlsUserAllow listed sites to connect to any HID deviceHKCU\Software\Policies\Microsoft\Edge\WebHidAllowAllDevicesForUrlsUserAutomatically grant permission to these sites to connect to HID devices containing top-level collections with the given HID usageHKCU\Software\Policies\Microsoft\Edge!WebHidAllowDevicesWithHidUsagesForUrlsNew security settings in Security Baseline for Edge 109 To gain more control over the browser and your PC, you can install this security baseline using the given steps: The script will now run automatically. Wait for the PowerShell window to close on its own, and the security baseline for Microsoft Edge 109 will now be installed. Check the box next to Microsoft Edge v107 Security Baseline.zip (and any other baselines you may require) and then click Next. Your download should now begin. When downloaded, extract the files into a separate folder. Right-click Baseline-LocalInstall and click on Run with PowerShell from the context menu. To run the baseline for Active Directory, you should run the Baseline-ADImport script instead.
Conclusion
Microsoft Edge 109 does not introduce any significant new features. However, it does address some critical and high-level vulnerabilities that could potentially be exploited. Therefore, it is recommended that you update your Edge browser immediately to keep your system safe. Also see:
Microsoft Edge 105 Released With Critical Security Fixes, Security Baseline; Still Might CrashDownload Microsoft Edge 106 That Rewrites Defender SmartScreen LibraryDownload Microsoft Edge 90: SSO + PDF Printing + Security BaselineDownload Microsoft Edge 98 Security BaselineDownload Microsoft Edge 106 Security Baseline
